Hi Amos,
On Thu, Mar 17, 2011 at 12:49:20AM +1300, Amos Jeffries wrote:
> >
> > I don't get this to work in Squid 3. The 'header_access' option
> > has been split into {request,reply}_header_access, and 'header_replace'
> > seems to have been changed to only apply to request headers.
>
> AFAIK header_replace has only ever worked on request headers passing
> through to some external server.
No, in Squid 2 it also works for (Squid generated) reply headers,
we use this on our production servers as described.
> You want reply_header_access with the same logic to strip away
> "Proxy-Authenticate: NTLM"
Yeah, but reply_header_access only allows filtering by header name,
not header value, AFAIK.
> I have plans to add ACL testing to decide which auth types get added to
> the challenge headers in the first place. For exactly this type of
> restriction. But have no time to code it myself anytime soon. If you or
> anyone wants to do the work and test it I'm happy to advise and mentor
> the coding.
This sounds nice. But there are probably other use cases where
replacing reply headers could be useful. The small patch* attached
introduces a new config file option 'reply_header_replace' to do
this. This gets our old workaround working again.
To be consistent with the naming change of header_access in Squid 3,
header_replace should be renamed to request_header_replace, I think.
I'd be glad to send patches, if you're interested.
Thanks,
Marco
* Created with 'bzr send'; never used bzr before, so I don't know
if this is the usual way to send patches around...
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: mbeck@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# target_branch: http://www.squid-cache.org/bzr/squid3/trunk/
# testament_sha1: 5814ea845f0ce9d5d696551b09a10d87e583541c
# timestamp: 2011-03-17 15:48:14 +0100
# base_revision_id: squidadm@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\
# w8jt9d6izh5pzcv2
#
# Begin patch
=== modified file 'src/cf.data.pre'
--- src/cf.data.pre 2011-03-15 17:39:36 +0000
+++ src/cf.data.pre 2011-03-17 14:46:38 +0000
@@ -4393,6 +4393,24 @@
By default, headers are removed if denied.
DOC_END
+NAME: reply_header_replace
+IFDEF: USE_HTTP_VIOLATIONS
+TYPE: http_header_replace[]
+LOC: Config.reply_header_access
+DEFAULT: none
+DOC_START
+ Usage: reply_header_replace header_name message
+ Example: reply_header_replace Server Foo/1.0
+
+ This option allows you to change the contents of headers
+ denied with reply_header_access above, by replacing them
+ with some fixed string.
+
+ This only applies to reply headers, not request headers.
+
+ By default, headers are removed if denied.
+DOC_END
+
NAME: relaxed_header_parser
COMMENT: on|off|warn
TYPE: tristate
# Begin bundle
IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWUoY53AAAcLfgAQQUef//39n
3yq////wUAR1mu2p7ve47167d3WODIimKeExNT0anqabUB6QB6gD1A9GoyAEpJPIxJtSe0Seo0yM
RoGg0AANAeoAlBAhlJqe0nlTaCabSaAZAAaNNNA0BJImU9TCZNKfqntJqA2p7VPU9T1M0aINND1D
EAJJJMm1MaKeoZGnqADQNAeoyaAADSRE2pyimvYG6WEZV9ijj+NM70aKSVWCtc0rpVdOHQ8CEF3A
ssxBDSalu0yUDzgQIjbhqa4Ext4GCNtMWqdaIf1eScO2cutjHGDwo+rDrJzizwlUwW0qUt2XGVZp
aNnLuxj+Wiuvy+fLev73dhPhWHQiMbzIE8VUi2NmOFR9SMJz0pMJiv0C4JqXX52RmfYi0SgPdGuw
RHYsLdCG9kMDRIul26QeGtIYnAITSLiDUkb6k3OUliTNuQnRoKKnb5Ar2JCMRy6nqSx2V3VytsOE
RNbJkzCxz3dxhIytLjyciYz8lEFhjKoiPi5MospHNuDEWoLw8TAxIarxtWgQi86ErSvExlSopmJL
RdHAXMSZIoGKUIwS7ZeHDxthyZmUqcT0uHzrvtISDC0qSBfiDETNOO24VwdXdNRXESqlihZKjjBr
v0xRUiOMiOVaZQgopRJDlBZUg1BGYzeRrLYZlSSMnfA2VRcGJGeOHFFLGEejgUDOK/lzZrWuSEs+
S9eNQvHkAhUb1gwuDE/8pHRNbzPtYNWw9O58XEUVkRNZ5dFF1M0z4CCnjt0lX3nDfevqPv0fgHxB
gd1y4Wa/my49lcC6WvdVPRC19Mzbb0RbZHS6v3nqVZlMYmabIm5IDImRuZI7rBykQcRjr0DrRamh
BC41QEAxPqTkqc8dN27SLpxRUC41Qn1Ga1xkKy0Mp1F5KGOG6FGGYyHer5OXiRg9ykc59RR2NZZV
KvBrzXHJPjUyiMDEYN9ks2UVx8ipfNZYp+YnA+q3MlXua1C8wyr4z0mjXwuuclyh1KOOJCaT29Sz
N0lHZWpA2bfCt1IhVBMD2GvkStls0mF10KHvGxKtyQOfmmcBsYG0B0UKcuNaZIQAj5Y5TQ8c4M4p
BbSHQ+NG/UGOKa2RlHd1WKky/U2Ur4l6dnBvWQcqPcVMhgm4EH2KYqzpNZeD0MnG9IS2F9ERF6BN
PN+alyS6VsyW0bQGIrojp5DQYzfMpM4Dp5Bwg5QiJmG1CmZX8BNXRlO2dVgsKZ4k4H4tJ2omyc0S
y7RdkJqIZ4EYBA9EGHSHcuMoyHdByiwmXk5PQRyJeLHpjJIvw980W/MkPKAyqoNL1PDth0VbHOJ0
s5ZZrKMmC+J0HJNg1K0940pnFudqlFPakzmSIhbRBoFK8tjxOQ4yMHg1e11jJ9Iecp0X64orWCCH
rUipFWTfmLDjI+OCNAVY9Sjb2tSpcAsE3MeVP1zUFtZEcJrnbTxS/ycDyO/ujJRn04EtQxhGw5kX
sXhFLmbNUnzsl7OX3Hk4wOV436Z5cycjBEXZyBiBkKYrXfabieOO2BclbPFjQWQwAz89khwkRS/4
u5IpwoSCUMc7gA==
